SRC012 — https://thenewstack.io/checking-linuxs-code-with-static-analysis-tools/¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://thenewstack.io/checking-linuxs-code-with-static-analysis-tools/ |
| Authors | The New Stack, quoting Shuah Khan (Linux Foundation Fellow, kernel maintainer) |
| Date | June 2, 2021 |
Content Summary¶
Linux kernel maintainer Shuah Khan discusses the kernel's static analysis tooling: checkpatch.pl for pattern-based checks, Sparse (written by Linus Torvalds) for C parsing and symbol tables, Smatch for cross-function value analysis, and Coccinelle for complex tree-wide pattern matching. Khan notes most tools suffer from false positives and that gcc's -fanalyzer is a promising addition for CWE detection. The kernel uses its own specialized tools rather than general-purpose SAST.
Reliability: High¶
Interview with an authoritative source (Linux kernel maintainer and Linux Foundation Fellow) in a reputable tech publication.
Relevance: High¶
Directly addresses Q003 about Linux kernel CI tooling choices and why bespoke tools are preferred.
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Low risk | Covers the key kernel static analysis tools comprehensively. |
| Measurement | Low risk | Expert testimony from a primary source. |
| Selective Reporting | Low risk | Discusses both strengths and weaknesses (false positives) of the tools. |
| Randomization | N/A | Not an RCT. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | Low risk | Kernel maintainer discussing their own tooling with no commercial agenda. |